Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-3323
Publication date:
06/04/2025
A vulnerability classified as critical was found in godcheese/code-projects Nimrod 0.8. Affected by this vulnerability is the function searchAllByName of the file ViewMenuCategoryRestController.java. The manipulation of the argument Name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2025

CVE-2025-31492
Publication date:
06/04/2025
mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any application-level gateway (or load balancer etc) protecting the server. When you request a protected resource, the response includes the HTTP status, the HTTP headers, the intended response (the self-submitting form), and the protected resource (with no headers). This is an example of a request for a protected resource, including all the data returned. In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd. This means httpd will try to issue the protected resource. oidc_content_handler is called early, which has the opportunity to prevent the normal output being issued by httpd. oidc_content_handler has a number of checks for when it intervenes, but it doesn't check for this case, so the handler returns DECLINED. Consequently, httpd appends the protected content to the response. The issue has been patched in mod_auth_openidc versions >= 2.4.16.11.
Severity CVSS v4.0: HIGH
Last modification:
17/04/2025

CVE-2025-32013
Publication date:
06/04/2025
LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.
Severity CVSS v4.0: CRITICAL
Last modification:
08/04/2025

CVE-2025-31488
Publication date:
06/04/2025
Plain Craft Launcher (PCL) is a launcher for Minecraft. PCL allows users to use homepages provided by third parties. If controls such as WebBrowser are used in the homepage, WPF will use Internet Explorer to load the specified webpage. If the user uses a malicious homepage, the attacker can use IE background to access the specified webpage without knowing it. This vulnerability is fixed in 2.9.3.
Severity CVSS v4.0: MEDIUM
Last modification:
07/04/2025

CVE-2025-2259
Publication date:
06/04/2025
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before <br /> version 6.4.3, an attacker can cause an integer underflow and a <br /> subsequent denial of service by writing a very large file, by specially <br /> crafted packets with Content-Length in one packet smaller than the data <br /> request size of the other packet. A possible workaround is to disable <br /> HTTP PUT support.<br /> <br /> <br /> <br /> <br /> This issue follows an incomplete fix of CVE-2025-0727
Severity CVSS v4.0: MEDIUM
Last modification:
31/07/2025

CVE-2025-2260
Publication date:
06/04/2025
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before <br /> version 6.4.3, an attacker can cause a denial of service by specially <br /> crafted packets. The core issue is missing closing of a file in case of <br /> an error condition, resulting in the 404 error for each further file <br /> request. Users can work-around the issue by disabling the PUT request <br /> support.<br /> <br /> <br /> <br /> <br /> This issue follows an incomplete fix of CVE-2025-0726.
Severity CVSS v4.0: HIGH
Last modification:
31/07/2025

CVE-2025-2258
Publication date:
06/04/2025
In NetX Duo component HTTP server functionality of Eclipse ThreadX NetX Duo before <br /> version 6.4.3, an attacker can cause an integer underflow and a <br /> subsequent denial of service by writing a very large file, by specially <br /> crafted packets with Content-Length smaller than the data request size. A<br /> possible workaround is to disable HTTP PUT support.<br /> <br /> <br /> <br /> <br /> This issue follows an uncomplete fix in CVE-2025-0728.
Severity CVSS v4.0: MEDIUM
Last modification:
31/07/2025

CVE-2025-3318
Publication date:
06/04/2025
A vulnerability classified as critical was found in Kenj_Frog 肯尼基蛙 company-financial-management 公司财务管理系统 1.0. Affected by this vulnerability is the function page of the file src/main/java/com/controller/ShangpinleixingController.java. The manipulation of the argument sort leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
Severity CVSS v4.0: MEDIUM
Last modification:
08/04/2025

CVE-2025-3317
Publication date:
06/04/2025
A vulnerability classified as problematic has been found in fumiao opencms up to a0fafa5cff58719e9b27c2a2eec204cc165ce14f. Affected is an unknown function of the file opencms-dev/src/main/webapp/view/admin/document/dataPage.jsp. The manipulation of the argument path leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025

CVE-2025-3316
Publication date:
06/04/2025
A vulnerability was found in PHPGurukul Men Salon Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/search-invoices.php. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
07/05/2025

CVE-2025-3315
Publication date:
06/04/2025
A vulnerability was found in SourceCodester Apartment Visitor Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /view-report.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
14/05/2025

CVE-2025-3314
Publication date:
06/04/2025
A vulnerability has been found in SourceCodester Apartment Visitor Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /forgotpw.php. The manipulation of the argument secode leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
14/05/2025
Subscribe to Vulnerabilities